This invention generally relates to methods of navigating among protected information resources in a network environment. The invention relates more specifically to data models, methods, apparatus, and products for viewing network resources based on a role of a user of the resources.
Computer networks have become ubiquitous in business, industry, and education. In one approach, a network is configured with one or more user accounts, each of which is uniquely associated with a human network user or host computer. The network also has one or more resources, such as application programs that provide various computing functions, which are available to all users. In this approach, a user logs into his or her user account, selects a desired application. A disadvantage of this approach is that every user has the same rights to access any of the network resources.
Development of the globally accessible, packet-switched network known as the Internet has enabled network resources, accounts and applications to become available worldwide. Development of hypertext protocols that implement the World Wide Web (xe2x80x9cThe Webxe2x80x9d) is enabling networks to serve as a platform for global electronic commerce. In particular, the Web is enabling the easy exchange of information between businesses and their customers, suppliers and partners.
Businesses are rushing to publish information on the Web and just as quickly stumbling into several roadblocks. For example, some information is valuable and sensitive, and needs to be made available only to selected users. Thus, there is a need to provide selective access to network resources and information over the Web.
This need exists in the context of internal Web networks that are available to employees of an organization, called Intranets, as well as Web networks and resources that are available to external customers, suppliers and partners of the organization, called extranets. Extranet users may require information from a large number of diverse sources, for example, product catalogs, customer databases, or inventory systems. There may be millions of potential users, the number of which grows dramatically as an organization prospers. Thus, there is a need for a large-scale system that can provide selective access to a large number of information sources for a large number of users.
Because some of the information sources are sensitive, there is a need to provide secure access to the information.
Current networks and Web systems, including Intranets and extranets, are expensive and complex to implement. These technologies also change rapidly. There is a need for any information access method or system to integrate with and use existing equipment, software and systems. There is also a need for method and system that is flexible or adaptable to changing technologies and standards.
One approach to some of the foregoing problems and needs has been to provide each network resource or application program with a separate access control list. When a user connects to the network, the user is presented with a listing of available applications. The user selects an application for use or execution. The access control list identifies users or hosts that are authorized to access a particular application. As new users or hosts are added to the network, the access control lists grow, making security management more complicated and difficult. Use of a large number of separate lists also makes the user experience tedious and unsatisfactory.
Another disadvantage of the foregoing approaches is duplication of management processes. To add new users to the system, a network administrator must repeat similar access processes for each application or resource to be made available to the new users. The redundancy of these processes, combined with rapid growth in the number of users, can make the cost of deploying, managing and supporting a system unacceptably high.
Thus, there is a need for a mechanism to govern access to one or more information resources in which selective access is given to particular users.
There is also a need for such a mechanism that is equally adaptable to an internal network environment and to an external network environment.
There is a further need for such a mechanism that is easy to configure and re-configure as new users and resources become part of the system.
There is still another need for such a mechanism that is simple to administer.
There is a need for such a mechanism that blocks access to, or does not display to the user, those applications for which the user does not have access rights.
There is a need for such a mechanism that is integrated with a flexible, adaptable, additive data model that permits rapid and convenient addition of information describing users and resources, and that automatically propagates the effects of changes in the data model throughout the system.
The foregoing needs, and other needs and objectives that will become apparent from the description herein, are achieved by the present invention, which comprises, in one aspect, a method of controlling access to one or more Web resources stored on a Web server, comprising the steps of receiving information describing a user at the Web server; identifying, at a Web application server coupled to the Web server, a subset of the resources that the user is authorized to access, based on stored information describing one or more roles and one or more access rights of the user that are stored in association with user identifying information; communicating information defining the subset to the first server; and communicating, to a client that is associated with the user, a Web page containing links to only those resources that the user is authorized to access, based on the user""s role within an enterprise that controls the resources.
One feature of this aspect involves storing, in a database, information describing a role of the user, a person type of the user, and a functional group to which the user belongs within the enterprise; and storing an association of the user to the role, person type, and functional group at the Web application server. Another feature involves storing, in a database, information describing one or more roles and functional groups of the enterprise to which the user belongs in association with information describing the user; and determining whether the user may access the resource based on the information describing the roles and functional groups.
A related feature involves, based on the association, automatically granting access to the resource to all users who have the role when the association is stored; and based on the association, automatically denying access to the resource to all users who do not have the role when the association is un-assigned.
According to another feature, the receiving step further comprises the steps of storing, in a database accessible by the Web application server, information describing one or more roles and one or more access rights of the user that are stored in association with user identifying information, wherein the roles represent the work responsibilities carried out by the user in the enterprise, and wherein the access rights represent the kinds and levels of access privileges that are held by the user in the enterprise.
In a related feature, the step of storing information describing a functional group further comprises the steps of storing, in the database, information identifying a department of the enterprise in which persons work who have the role associated with the user. Still another feature involves the steps of storing, in a database accessible by the Web application server, information defining the resource including a resource identifier value, a location value, and a list of protected resources.
According to another feature, the method also involves storing, in the database, an association of each resource to one or more of the roles. In another feature, the method further involves assigning, by storing in the database, an association of a resource to one or more of the roles, and un-assigning the resource from the roles. Yet another feature involves, based on the association, automatically granting access to the resource to all users who have the role when the resource is assigned to that role; and based on the association, automatically denying access to the resource to all users who have the role when the association is un-assigned from that role. Still another feature involves communicating, from the first server to the client, information describing a customized display that identifies only those resources that the user may access.